FEDORA-2017-a11057f70e

enhancement update in Fedora 25 for ca-certificates

Status: stable 2 years ago

This update supports a new PKCS#11 attribute CKA_NSS_MOZILLA_CA_POLICY. The attribute has been defined by NSS version 3.30. The attribute is expected to be set to true for CA certificates that have been added as part of the Mozilla CA Policy process.

The enhancement is required for compatibility with the future Firefox 54 release, which will query this attribute when accessing root CA certificates from the loaded CA trust module. On Fedora, Firefox is configured to access the p11-kit-trust module, instead of the NSS CA trust module nssckbi. This change to the ca-certificates package will make the attribute available to p11-kit-trust and Firefox.

Support for this new attribute requires p11-kit-trust version and build 0.23.2-3, which contains the relevant backported functionality from upstream version 0.23.5.

To enable the addition of this attribute, the ca-certificates package has been changed to use p11-kit-trust's flexible p11-kit-object-v1 file format for the internal packaging of the CA certificates list.

The update-ca-trust command has been changed to add comments to extracted PEM format files.

The changes in this package version shouldn't affect any existing functionality or trust.

How to install

sudo dnf upgrade --advisory=FEDORA-2017-a11057f70e

Comments 17

This update has been submitted for testing by kengert.

kengert edited this update.

works for me the whole day (firefox, thunderbird....)

karma: +1

This update has been pushed to testing.

Works here on x86_64.

karma: +1 critpath: +1

works for me

karma: +1
karma: +1 critpath: +1

no regressions noted

karma: +1

works for me

karma: +1

No regressions here

karma: +1

works for me

karma: +1

https in firefox works fine

karma: +1

This update has been submitted for stable by kengert.

This update has been unpushed.

This update has been submitted for stable by kengert.

This update has been pushed to stable.

Content Type
RPM
Status
stable
Test Gating
Submitted by
Update Type
enhancement
Update Severity
unspecified
Karma
+10
stable threshold: 3
unstable threshold: -3
Autopush
Disabled
Dates
submitted 2 years ago
in testing 2 years ago
in stable 2 years ago
modified 2 years ago

Related Bugs 2

00 #1418739 ca-certificates must set the nss-mozilla-ca-policy pkcs#11 attribute for Mozilla CAs
00 #1418741 Change the CA + trust input format given from ca-certificates to p11-kit-trust

Automated Test Results